PCI Compliance Book Giveaway #2

OK folks, our PCI Compliance book has been out for a few months now, and Branden & I thought it would be fun to give away a copy with another contest! We have assembled a group of three independent judges who will look at the submissions and pick winners for each competition. The winner will receive a free, signed copy of the book! In fact, it would be one of those rare “dual-signed” copies with both of our signatures (and the book will have to travel from TX to CA – or from CA to TX – for this )

So, on to the second contest (first one).

Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey “anything goes” view. We want to take a compliance-friendly and security-friendly, practitioners line. However, sometimes even a compliance guy has to be CREATIVE!

So our second challenge to you, in the comments below, please tell us about your MOST CREATIVE PCI DSS CONTROL you implemented, assessed or even witnessed.

HOWEVER, it will help your submission if such control was also ACCEPTED by a QSA. We will absolutely reject the creative control submissions that have no chance of making your environment PCI DSS compliant…

You’ve got about a week (until the end of December 21st), and we will announce the winners after the holidays!

It doesn’t matter if you comment here or on Branden’s blog, we will capture all of them.

Related posts:

• PCI Compliance Book Giveaway #1
• PCI Compliance Book Giveaway #1 –Results

PCI Compliance Book Giveaway–Results

Our PCI Compliance Book Giveaway has ended – with a bang!  The winning entry (submitted here) is below:

"Hilarious in a sad way, the worst PCI fail I ever had was getting
solicited by a Wedding / Bridal catalog company to assist them in
improving their online ordering and bridal catalog subscription
service. I had no contract with them, this was just a preliminary
"Let's see what we can do for you." They sent us their website, and
also e-mailed me a copy of their site's source code.
In the source code was an SQL dump of over 7 years of brides personal
information including names, addresses, birthdays, and FULL credit
card numbers, expiration dates, CCVs, card type, phone numbers, email
addresses, and unencrypted passwords.
In shock of seeing this, I called the potential client, said we
couldn't help them and deleted the data as completely as I could.
Eek!"

The winner, “James P”, please mail your address to authors@pcicompliancebook.info and we will mail you your signed copy of The PCI Book, 3rd edition. And, no, we won’t charge your credit card for that

The runner-up entries were:

“A very large retailer decides to reorganize their IT department to be more responsive and reactive. As part of that reorganization, they create a group titled 'Enterprise Monitoring' that is responsible for the care/feeding of the log management and analysis solutions. Centralized personnel that actually do the monitoring are pushed out to the business units where, according to IT management, the actual monitoring belongs. Everyone at the meeting announcing this decision says that the name. Enterprise Monitoring, needs to be changed because it gives the impression that the group does the monitoring, but they are over ruled.
Spin ahead almost a year later to their PCI assessment. The monitoring personnel that were pushed out to the business units were, surprise/surprise, were seen as new bodies that could be used for everything BUT monitoring. So, we have great log management and analysis solutions running, but no one has been monitoring anything for almost a year! When asked, the business units point to the Enterprise Monitoring group and say that it is their responsibility because they are 'Enterprise Monitoring'. DUH!” (source)

and

“I work with a stadium and arena concessions operation that once told me they were compliant because they put their card swipe readers on the counter and turned them around to face the customer. They no longer touched the cards so this made them compliant. True story.” (source)

and

“It’s a not a fail, but I certainly found humor in this. When enrolling in training with the PCI Security Standards Council, if you would like pay by credit card they ask that you write your CC#, CVV, Expiration, etc on the invoice and fax it or mail it to them. They note, it is a secure and password protected fax. I expected something a little more from the people who create the standards, but hey that’s one way to reduce your scope. Upon receiving the invoice, it was an LOL moment. ” (source)

MORE PCI Book CONTESTS ARE COMING!! Stand by….

PCI Compliance Book Giveaway!

OK folks, our PCI Compliance book has been out for a couple of months now, and Branden & I thought it would be fun to give a way a couple of copies with a contest! We have assembled a group of three independent judges that will take a whittled down list and pick winners for each competition. The winner will receive a free, signed copy of the book!

So, on to the first contest.

Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey anything goes view. We want to take a compliance-friendly, practitioners line. But we’ve all been in those meetings when you look at a particular defense of a control (or lack thereof) and you can’t help but laugh a little bit on the ridiculous nature of what was presented.

So our first challenge to you, in the comments below, please tell us about your MOST HILARIOUS PCI FAIL.

You’ve got a week (until the end of Wednesday, November 21st), and we will announce the winners after the US Thanksgiving holiday!

It doesn’t matter if you comment here or on Branden’s blog, we will capture all of them.

Book Review: “UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence” by Richard Stiennon

This is not a book for everybody (and your grandmother probably does not need to read it; neither does an average IT professional). However, I think that this book is pure gold for those tasked with interacting with analyst firms.

I am an analyst, and I wish every vendor client read this book and followed some of the advice given there. It would reduce pain on both sides of the conversation, as well as make the interactions more valuable for – again! - both sides.

Obviously, this is not a book to guarantee your IT product a favorable placement in analyst research. It is also not a book on how to bamboozle the analysts, despite its focus on analyst influence. However, it is definitely a book to make sure that well deserving products, developed and marketed by good teams of people, don't get sidelined.

Some of the specifics that I liked include the influence pyramid concept, social media techniques, a careful approach to managing corporate Wikipedia entries, specific approaches to various analyst activities (such as calls, reports, advisory days and conferences), etc. My favorite sections (both fun to read as well as insightful!) are the one on “guerrilla tactics” and the obligatory “what not to do” chapter (the latter has a few sad case studies of IT vendors who screwed themselves up). Another great chapter covers the role of a vendor sales team in both helping the interaction with the analyst firm and avoiding some embarrassing mistakes.

In fact, this book makes me proud to be an analyst. Then again, maybe it is my ego talking as the book seems to project an impression that “an analyst is the most important person in the world“, at least as far as IT vendors are concerned.

Finally, if you are a IT vendor marketer, remember: when you say “holistic," some analysts think “imaginary.” Richard suggests to scrub your presentations of silly meaningless words like “synergy” and “holistic.”

• All book reviews.

"PCI Compliance", 3rd edition - Out On August 6, 2012

A new edition (3rd) of our book "PCI Compliance" is coming out on August 6, 2012.
It covers PCI DSS 2.0, as requested by many of our readers.  Other new materials include Emerging Technology and Alternative Payment Schemes, PCI for the Small Business, etc. A full ToC for this new edition is here.

Get the book in print or for Kindle!

Book Review: “Security De-Engineering: Solving the Problems in Information Risk Management” by Ian Tibble

This book is probably the most thought-provoking book on security I read in the last 5-7 years! While I'm somewhat known from my proclivity to exaggerate, I assure you this is not an exaggeration. As I was reading it, I felt like I connected to deep layers of the subconsciousness of security industry.
In fact, the influence this book already had on me is palpable: I found myself using some of the terms (such as author’s favorites, “intellectual capital” and “CASE”) and concepts on the next day after I started reading it.

As a brief summary, the book investigates the evolution of the way we do information security from the “hacker-lead” late 1990s to “compliance-heavy” late 2000s and today. The author also highlights dramatic problems with today's approach to security and suggests some of the solutions in the way people think and operate around security.

In fact, it might be one of the most influential books ever written in history of security industry - the one that appeared at the best possible time when it’s most needed. Along the same line, I have grown worried about the ranks of security professionals who are not hands-on with technology and who have never secured production systems. Just as the author, I've been grown frustrated with the ranks of idiots who equate compliance and security. Even author’s rant about ethics is something I've been thinking for years.

The author slaughters a few of the sacred cows of security industry: one that “executives are clueless” and the one that we “must have reliable actuarial data on incidents to stay relevant.” He also highlights a few categories of security products, which are notorious for not delivering value and explains the reasons for that. Most of his points are backed up by specific cases from his experience, going back to the end of 1990s when the security industry was born.

And, of course, as with any thought-provoking writing, I cannot say I agree with every word I read. For example, I am much less negative on the vulnerability assessment technology than the author (I don't think they give you 50% “false negatives” on common platforms today). Furthermore, I abhor the use (misuse, really) of “ROI” for justifying security spending. Style-wise, the author is a little too fond of repetitions to my taste. However, having a summary after each chapter is a great idea.

Finally, despite the unreasonably high price, I feel that every member of the security community MUST read this book. Literally every chapter will have insights that will make you a better security professional today.
All book reviews.

The Log Book Needs YOUR Help!

As most of you know, I’ve been working on a book about logs, logging and log management for some number of years. At this point, the book is almost done, but the author team is having some minor time commitment issues (aka “less time to write than originally estimated”) ).

So, do any of my esteemed blog readers (those adept in the dark arts of log analysis) care to help and write a few chapters here and there, in exchange for (lots of) immortal fame and (admittedly small amount of) cash?

Table of contents is here – if you see any chapters you’d like to help with, please let us know. I will post a list of chapters that really need help soon.

At this point, we have PLENTY of reviewing help, but we sure can use some writing help!

Book Review: “Security Information and Event Management (SIEM) Implementation”

Here is my review for “Security Information and Event Management (SIEM) Implementation” by David Miller, Shon Harris, Allen Harper, Stephen VanDyke, Chris Blask. It has just been published to Amazon as 4 stars out of 5.


I was looking forward to reading this book for a few months – pretty much since the time I’ve heard that it is being written. Obviously, I was very excited when it arrived in my mailbox. Now that I am done reading it, I can say it left a mixed impression. Mostly positive –but still mixed. I definitely enjoyed reading it, despite (or maybe due to) the fact that I’ve been involved with SIEM for nearly 10 years.
Let me first go through all the chapters and then give my overall impression. The book is organized in three big parts: “introduction to SIEM: threat intelligence for IT systems”, “IT threat intelligence using SIEM systems ” and “SIEM tools.”
Chapter 1 covers security basics with minimum connections to SIEM. It might have that over-simplified refresher of what information security is about.
Chapter 2 can be summarized using the quote from the chapter itself: “the bad things that could happen.” It contains another refresher on attacks, somewhat jumbled and somewhat dated. We’re not really touching SIEM yet at this point.
Chapter 3 has an author’s view of regulatory compliance: the usual suspects are mentioned – PCI DSS, HIPAA, FISMA, SB1386, SOX, GLBA, etc. HIPAA is not misspelled which counts as good news
Chapter 4 has a bizarre name: “SIEM concepts: components for small and medium-sized businesses.” It contains an overview of SIEM with little focus on SMB. It is mildly confusing (for example, it calls LogRhythm “a commercial syslog server”). It contains a few outright mistakes as well (like a mention of one log management vendor whose application reportedly covers ”all 228 PCI controls”). The chapter tries to talk about everything (yes, even GRC) and makes a very weak impression.
Chapter 5 looks like a twin of the previous chapter. It also contains an overview of SIEM, but a different one – a better one, in fact. These two chapters don’t contradict each other much, but joint their presence in the book is mysterious and somewhat confusing.
Chapter 6 is a sudden break from SIEM into incident response. It does contain a few useful – but high-level- flow charts for incident response. I doubt that it was written by somebody who did much incident response however.
Chapter 7 is both a curse and a blessing. I loved the ideas in the chapter – using SIEM for BI – but I hated the fact that its author didn’t even bother to check what “SIEM” abbreviation stands for (see page 116)…
Chapter 8 and Chapter 9 are about OSSIM/AlienVault. From all the SIEM product chapters below, these are the weakest and the least useful. They offer little practical guidance and miss – yes, really! – most the details you’d need to know before deploying OSSIM in production. I was especially annoyed by “screenshot-three lines of text-screenshot-three lines of text…” model that most of Ch 8 and Ch 9 follow. It makes pages 152-166 just wasted paper. Ch9 tries to be a bit more useful (has two case studies), but collapses under the load of too many screenshots as well.
Chapter 10 and Chapter 11 talk about Cisco MARS. Since nobody cares about MARS anymore, I won’t be reviewing them here.
Chapter 12 and Chapter 13 cover Q1Labs SIEM. Unlike the above, these are actually useful for practical architecture planning of QRadar deployments. These chapters also contain useful SIEM insights – still, even these can benefit from more real-world tuning tips. The case study in Ch13 is useful as well. If you are thinking of getting a Q1Labs SIEM, grab the book to quickly review what you will encounter when you get the product.
Finally, Chapter 14 and Chapter 15 cover ArcSight SIEM. Despite minor mistakes and “vendor whitepaper feel,” the chapters would be handy for people in early stages of selecting, reviewing and deploying ArcSight SIEM. The chapters suffer a bit from trying to duplicate product help – you’re more likely to learn how to patch ArcSight them how to use it well.. Sadly, no case studies are included in these chapters.
Overall, the book has unfortunate signs of being written by a team of others who didn’t talk to each other. Despite the promises of implementation guidance, it leaves some of the very complex SIEM issues untouched – and even unmentioned. Very few case studies (some good ones are stashed in the appendix for some weird reason) and few tips and tricks for real-world SIEM implementation. Also, it is much stronger on the “what” then on “how.” Still, I suggest that people buying, using and building SIEM products, get their own copy and read at least a few chapters relevant to them. You will likely not be disappointed.

Minor Bit of Promotion: PCI Book Rocks!

The PCI book site has been updated with recent PCI DSS related videos and writing from Branden and me. For example, another big free chunk of a chapter (Chapter 12 “The Art of Compensating Control” by Branden) is posted. The picture proves that we did manage to write “The PCI Book” and not just “a PCI book” :-)
And, of course, the ever-so-funny PCI videos:

ShmooCon 2010 Conference Panel "An Existential Threat To Security As We Know It?" (direct video link [FLV]")

Security BSides San Francisco Panel "The Great Compliance Debate: No Child Left Behind or The Polio Vaccine" (part 1, part 2)

RSA 2010 Quick Clip "If you’re going for PCI compliance, just shut up and log" (direct video link)

Enjoy – if you missed it live.

While I am at it, let me make a few quick announcements.
Here are my fun upcoming speaking ops:

1. Source in April in Boston, MA (with Branden)
2. PCI DSS Workshop in April in Indianapolis, IN
3. Honeynet Project Annual in April in Mexico
4. HITB Amsterdam in July in Amsterdam (cool!)

Recent writing [guess what? it is about logs! And sometimes PCI DSS]:

1. "PCI DSS logging: A must for compliance" (part 1)
2. "Practical priorities in PCI DSS logging" (part 2)
3. "Shut up and Log!" 

Miscellaneous:

1. You can now “rent a bit of Anton” via Institute for Applied Network Security (IANS). I officially became “IANS faculty” a few weeks ago.
2. If you somehow missed the release of our  "Critical Log Review Checklist for Security Incidents," then go get it!

Enjoy!

Book Review “Cloud Security and Privacy”

Amazon just posted my review for “Cloud Security and Privacy” by Tim Mather, Subra Kumaraswamy and Shahed Latif.

It is reposted below for posterity – and my esteemed blog readers :-)

It goes without saying that I was very excited to pick up the first book on cloud security and privacy. Due to my Cloud Security Alliance (CSA) involvement, I was extremely interested in Tim’s take on the subject. The book is indeed a comprehensive treatise on everything cloud, and everything cloud security. The author team covers the topics based on IaaS/PaaS/SaaS (SPI) for infrastructure, platform, and software as a service model. They address stored data confidentiality, cloud provider operations, identity and access management in the cloud, availability management as well as privacy. My favorite chapter was of course the one on audit and compliance - chapter 8. Another fun chapter was chapter 12 on conclusions and the future of the cloud (which is, BTW, all but assured…).

One of the most important things I picked from the book was a very structured view on separation of security responsibilities between the cloud provider and the customer for all of the SPI scenarios. This alone probably justifies getting your own copy.

As far as technical contents, the book stays fairly high-level even though it touches on the details of SAML and other authentication protocols.

The only downside of the book is its extremely dry writing style. There are only a few examples and case studies. Following “just the facts” model sometimes might lead the reader towards losing interest, no matter how important the subject is – and this subject is pretty darn important. To put this in the context, I do read security books for fun, not only for work.

Enjoy the book!

Possibly related posts:

• Other book reviews on my blog
• My old book review site.

PCI Compliance Book at 50% TODAY

It looks like fine folks at Syngress / Elsevier  have given everyone a BIG holiday gift: our "PCI Compliance" book at 50% off with code 97561 (not sure for how long the discount code will work ...maybe just today). To use the code, buy the book direct from the publisher here.  

This is awesome, pretty much! Even if you hate PCI :-)

And if you came here too late, but still in December, use this old code for 30% off. If the above also doesn't work, feel free to use the Amazon icon on the left.

BTW, while you are at it, check out the book website: www.pcicompliancebook.info

Think about! PCI DSS, massive holiday shopping ... what can possibly go wrong? :-)

"PCI Compliance" Book Is Here!

Finally, the PCI book is here in the flesh. I decided to use this opportunity to try video on my blog. Here it is:

Possibly related posts:

• “PCI Compliance” Book 30% Discount code

  
  

“PCI Compliance” Book 30% Discount code

I have not yet received my copy of “PCI Compliance” book, but I was told it is OUT in the flesh.

During the entire “launch month” – December 2009 – you can get the book at 30% off using discount code: SYNGRESS30 

Here is some more info:

• Book website (check out a couple of free PCI DSS sample policies there!)
• Official page of “PCI Compliance” at Amazon
• Book page at Syngress website (has full book Table of Contents); for the above discount code, you have to buy it from here.
• My co-author’s Branden Williams website and blog.

BTW, we worked really hard on the book (and then the editors worked on us :-)) - despite this, some typos are unavoidable. Please report them and we will add them errata pages.

Enjoy!

Book Review: “The myths of Security” by John Viega

My review for “The myths of Security” by John Viega has been posted to Amazon; I gave it 4 out 5 stars.

Think about this book as a printed collection of blog posts – some a dozen pages, some half a page. John’s essays – all 48 of them - read like a typical blog: fun views on hot subjects, controversial opinions, new ideas for the future, dispelled myths, cool technology ideas, etc. I definitely enjoyed reading the book, even if most of the material was at least somewhat familiar to me.

For starters, this was the first time that I have seen a book written by somebody employed by a major antivirus company, who would agree that antivirus solutions don't work too well and slow down systems. It was very impressive to read that the author himself does not use an antivirus solution and didn’t even use one when he' was in charge of building one! (Understandably, he does recommend that consumers use one on their systems)

The following are some of my fave chapter highlights. “Security:”Nobody Cares” is one of my favorites; it covers why people, on average, don’t care about information security. His analysis matches that of some other industry thinkers, but it is presented well in the book.

I also enjoyed his thinking about why Microsoft antivirus solution would never pick up and never present a threat to the big AV vendors. In his opinion, most people do not trust Microsoft as a security brand. He thinks that customers would always go to security specialist and not to MS for antivirus tools, even if such specialist is located in Russia or Czech Republic. Also, it looks like the 30% success ratio for antivirus solutions is pretty much a commonly accepted number nowadays; it is mentioned in the book more than a few times.

One chapter that made me angry was chapter 7 on Google. He basically makes the insinuation that the Google in particular and pay-per-click advertising in general motivates people to hack into systems; a view as illogical as it is silly.

In chapter 26, John has an interesting idea for a Social Security number replacement scheme. Many other chapters contain ideas for improving major parts of security technology, even if in some cases the author has to disclaim them with his disbelief about their implementation potential.

It is quite interesting that in chapter 28 John dispelled the myth that including security early in the application design is cheaper. Compared to ignoring the problem until notice from customers, it is certainly more expensive. He touches most other known security industry “pain points” such as vulnerability disclosure. He proposes to replace “responsible disclosure” with a new scheme from my view looked kinda similar, less dangerous for the world at large but less motivating to software vendors. He also discusses whether disclosing vulnerabilities reduces or increases the risk for consumers (in his view seems to increase it).

Closer to the end of the book chapters get shorter and shorter. For example, chapter 42 ends up being half of a page in length. It pretty much states that he would sacrifice some privacy for more functionality and so would most of the others, which seem to be a very popular view nowadays.

I was very happy to find that he devoted an entire chapter - 2 pages in length - to criticizing academic security research (one of my pet peeves!). He says “lots of academics are reinventing what security industry has been doing for years. “ [They are also reinventing a lot of “epic FAIL”, proven to not work.] The book also mentions that there is nowhere near enough data sharing between security industry, where the problems are, and academia, where - supposedly - the brains are.

Other reviewers have pointed out that it is not clear what is the audience for the book. Many of the chapters seemed written for the “curious consumer” while others are clearly intended for security practitioners or even security managers and imply a degree of IT industry savvy.

Finally, I have to say that multiple mentions of McAfee did not annoy me at all. I fully realize that if somebody employed by the vendor criticizes the very livelihood of that vendor (classic signature AV, in this case), you must throw your employer a major bone. You absolutely have to mention your employer positively to counterbalance the criticism and he does – in many chapters.

To conclude, I read books on information security for fun. This book was a lot of fun to read even if I did not agree with some of his opinions. It is well-written, has light writing style and touches most if not all controversial issues in security; the book also has a lot of fun novel ideas for the future to think about.

Book Review: “Into the Breach”

“Into the breach” by Michael Santarcangelo is actually a fun read; it seems to be a useful book on security for management. It is non-technical by design since it is about the people side of security. In fact, he presents security itself as “a human issue.”

One of my favorite sections in Part 1 reminds that many policy violations happen because people just want to do their jobs better (the author also claims that people “want to do the right thing” if such choice is easy enough). I loved the “compliance is not a video game” theme, where your faults do not have real world consequences, as well as “security as something inflicted upon the organization” and “security as a crash diet” themes. What is also interesting is that the book seeks to solve one of the key problems of “what is risky?” vs “what is only perceived as risky?”

The part of the book is Part 2 where author’s “strategy to protect information” is unveiled. The author then goes into some level of details on how to implement the strategy (run a pilot, “build a flywheel”, etc).

On the negative side, I was saddened that Michael succumbed to a popular insider myth (on page 11 – “70% of attacks are by insiders”) while trying to dispel another security myth. That is the risk anybody runs while quoting too many questionable surveys. Also, the book sounds too fluffy at times (e.g. the strategy is “understand-engage-optimize”, frequent advice to “be effective”, etc), but does seem to convey its message pretty well.

Overall, if you are managing security on a high level, or manage IT or even the whole business, read this book. It is short enough so that such people will read it and get the ideas! If you are a security pro and can handle a non-technical volume, grab it as well and keep in mind that this is a management book. After reading it, please give it you your manager!

Possibly related posts:

• My other recent book reviews
• My Amazon book reviews
• My old book reviews

Book Review “Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century”

“There is no spoon.”

“Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century”  by Ryan Trost–but-not-really (it is claimed to contain contributions by five other folks, but exact chapters they wrote are unknown) is not a book: it is a collection of papers about security and intrusion detection. The book bears unfortunate, but noticeable signs of being written by multiple people who didn't talk to each other much.

I just finished reading the book and I can say I enjoyed it. It does have interesting ideas peppered in some places. Overall presentation consistency, however, is not lacking – it is absent. Also, the book is not terribly practical if you define practice as “protection of systems and networks from attacks.”  Many chapters are shallow and make the impression of being added to get the book to 450 pages threshold.

So, some chapters are fun and insightful (“Geospatial ID”, “Physical IDS”, the sections on signature tuning), some are funny (example: one chapter talks about SIEM, SIM and SEM, but errs about what “M” in those stands for… seriously!) and some are sad (example: the one that mentions IDMEF), while others are very shallow (“Wireless IDS/IPS”). The chapter on ROI made me fall under my desk; I experience an actual literal ROFL – more on this below.

Here are some of the highlights. Ch3 has a lot of useful Bro NIDS tips; if you have never used Bro in production, give it a try. In Ch4, I liked vulnerability-based signature definition worklfow, which takes into account sig performance tuning. Ch5 was written by an academic, who doesn’t get out much; if works great if you want to really know what the word “befuddled” means (it also mentioned IDMEF for extra punch :-))  Ch6 is fine if you never dealt with network flows; not a bad intro. Ch7 is a very shallow intro to web application firewalls, while ch8 is the same for wireless IDS/IPS.  Ch9 deals with physical security and I loved; such information rarely shows in IT books and it was great to learn it. Ch10  that deals with geospatial intrusion detection is another good one; the approach looks a bit weird (example: all events with the sources address close to a company facility are considered “false positives”…). Ch 11 on visualization mentions all the right books on the subject, but then chooses to makes itself a bad comparison to them.

Now, ch12 (“Return on Investment: Business Justification”) is pure freakshow; I have not laughed that hard for a few months a least. After I had a chance to think about, I realized that maybe it was intended for humorous relief since it is the last chapter. Also, I am proud to be mentioned there (on page 404 – is this numerologically significant? :-)) In any case, the work computes the precise ROI for any IDS system, like that:

Gain  [IDS] from investment = ALE = SBE x ARO = $517,580

SBE comes from 2007 (!) CSI survey data, SBE = $345,005. ARO comes from risk  probability x expected number of incidents  = 0.46 x 3.2 = 1.5.  IDS is assumed to prevent all breaches (!), for computational simplicity, I am sure.  … Anyhow, you get the drift.

Overall, if you want a moderately interesting security read with some good ideas, get it. If you are looking for information on practical intrusion analysis in whatever century, skip it.

Finally, Addison-Wesley provided me with a review copy.

Possibly related posts:

• All book reviews on this blog
• My older book reviews
• My Amazon reviews

“PCI Compliance” Book on Amazon!

This is the big day in any author’s life: the release of the Amazon entry for the upcoming book.

Ours (Branden’s and mine) just came out:

PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance by Dr. Anton Chuvakin (Author), Branden R. Williams (Author)

Time for a wild celebration! The cover art might change, the typos will get corrected, but all the champagne will be finished by then :-)

I am not trying to hint at anything :-), but here is the "buy the book" link:

And, of course, time to thank fine folks at Syngress/Elsevier for making it a reality!!

BTW, we are working on a super-cool website to go with it, but it is a complete secret yet :-)

Book Review “Chained Exploits”

As you might guess, I often read security books for fun, not for solving  a particular technical problem. So I approached “Chained Exploits” by Andrew Whitaker, et al with that filter in mind. The book worked just fine for that purpose – it is well-written and has a story line, while covering enough technical details to be educational (for those who are reading it to learn about security and not just for fun). It covers the exploits of a malicious hacker “Phoenix” who fulfills the assignments of some underground criminal mastermind and sometimes just goes and 0wns somebody on his own. Obviously, the book does not cut it as “fiction” since it has actually commands, configuration, etc.

The book is not about a new cutting edge technique or an “oh-day”, its main goal is to actually tie “that security stuff” together for folks who are not skilled with it yet. IMHO, IT folks getting into security will benefit from it the most. If you 0wn boxes for fun and profit, you will not learn anything fundamentally new about security, but likely will have fun in the process. Think about it as “Life-like Security Horror Stories” or realistic scenarios. Still, these are a bunch of good story of how mundane, “uncool” attacks tie together to achieve some rampant 0wnage, like having people at a hospital almost die as a result of one particular scenario…

Each story covers motivation and goals of the attach, planning stage, sometimes failed attempts (and why they fail), tool selection and some guidance on tool use. Then it explains what happens and finally covers countermeasures that could have stopped it.

The book bears unfortunate, but noticeable signs of being written by multiple people who didn’t talk to each other much.

Finally, the name (“Chained Exploits”) first turned me away from the book, I thought it was kinda silly; now I suspect that it will attract some folks to the book.

Recommendation: definitely worth a read if you are new to security, especially if moving from IT. Useful for students in computer science classes to get motivated about security. Also useful for technical management to learn what is not just possible, but very real.   Finally, useful for security folks – as a fun read – and also as a reminder about things in their own (still their own, not 0wned…) environments.

Possibly related posts:

• All book reviews on this blog
• My older book reviews
• My Amazon reviews

Book Review “Beautiful Security”

As I mentioned before, I just had to celebrate the release of this awesome security book “Beautiful Security” from O’Reilly, which I just finished reading.

Now, I will probably have a high opinion of my own chapter (“Beautiful Log Handling”) since it took some work (eh… and one complete rewrite :-)) to create (this why people LOVE O’Reilly books!!) However, I am just about as excited about the rest of the chapters in the book.

Namely:

1. Psychological Security Traps  by Mudge: awesome chapter with some fun ideas. Must read.

2. Wireless Networking: Fertile Ground for Social Engineering

3. Beautiful Security Metrics by Betsy Nichols: if you are “a metrician”, there won’t be anything new (apart from here interesting medical research analogy); otherwise, a MUST read!

4. The Underground Economy of Security Breaches: not a bad, even if a bit dated, review of underground economics.

5. Beautiful Trade: Rethinking E-Commerce Security  by Ed Bellis: this is one of the 2 chapters  that I like more than my own (and that is coming from a fairly egotistic person ;-)); this has lots of visionary ideas on payment security.

6. Securing Online Advertising: Rustlers and Sheriffs in the New Wild West by Ben Edelman: this one is a fascinating read about attacks by and on online advertizing. Definitely both enjoyable and insightful.

7. The Evolution of PGP’s Web of Trust

8. Open Source Honeyclient: Proactive Detection of Client-Side Exploits: a good read for those not familiar with “client honeypots” or “honeyclients”

9. Tomorrow’s Security Cogs and Levers  by Mark Curphey: this chapter exudes pure awesomeness and is the best in the book; read it three times already and plan to read a few more. A quick preview of what is in the chapter is here on Mark’s blog. Sorry that it sounds cliché, but this chapter definitely stimulates new, beautiful ways of “thinking security”!!

10. Security by Design by John McManus: a very good chapter that mixes NASA, security and software design. Read it and learn from it.

11. Forcing Firms to Focus: Is Secure Software in Your Future? by Jim Routh: great chapter that describes one company’s battle for securing software (first, its own and then 3rd party)

12. Oh No, Here Come the Infosecurity Lawyers: way too much ROI and ROSI to my taste; also has ALE horror. Killed all the fun for me.

13. Beautiful Log Handling  by Anton Chuvakin: eh…make your own opinion here :-)

14. Incident Detection: Finding the Other 68%  by Grant Geyer: good old data correlation of IDS alerts, logs and other information is covered in this well-written chapter.

15. Doing Real Work Without Real Data

16. Casting Spells: PC Security Theater: this chapter was sad as it was the last. It was a sad piece of misdirected marketing that should have no place in O’Reilly books, IMHO.

Overall, this was BY FAR the most insightful and enjoyable security book that I’ve read in a long time!

BTW, authors of this book are not getting paid, but feel free to grab your own copy at Amazon or elsewhere.

Possibly related posts:

• It Changed My Life: My Review of "Geekonomics” book
• All security book review posts.

On “Beautiful Security”

This is my first post since coming back from vacation; as you can guess, I’ve been busy with work and not with blogging. Still, I just have to celebrate the release of this awesome security book “Beautiful Security” from O’Reilly. I just received my author copies and can’t wait to start reading the other chapters.

Now, I will probably have a high opinion of my own chapter (“Beautiful Log Handling”) since it took some work (eh… and one complete rewrite :-)) to create (this why people LOVE O’Reilly books!!) However, I am just about as excited about the rest of the chapters in the book. Namely:

1. Psychological Security Traps

2. Wireless Networking: Fertile Ground for Social Engineering

3. Beautiful Security Metrics

4. The Underground Economy of Security Breaches

5. Beautiful Trade: Rethinking E-Commerce Security

6. Securing Online Advertising: Rustlers and Sheriffs in the New Wild West

7. The Evolution of PGP’s Web of Trust

8. Open Source Honeyclient: Proactive Detection of Client-Side Exploits

9. Tomorrow’s Security Cogs and Levers

10. Security by Design

11. Forcing Firms to Focus: Is Secure Software in Your Future?

12. Oh No, Here Come the Infosecurity Lawyers!

13. Beautiful Log Handling

14. Incident Detection: Finding the Other 68%

15. Doing Real Work Without Real Data

16. Casting Spells: PC Security Theater

BTW, authors of this book are not getting paid, but feel free to grab your own copy at Amazon or elsewhere :-)